Citrix NetScaler ADC and NetScaler Gateway Vulnerability Exploited in Denial-of-Service Attacks (CVE-2025-6543)

Posted by Author Diksha Ojha on Posted on

Citrix released a security update to address the vulnerability impacting NetScaler appliances. Tracked as CVE-2025-6543, successfully exploiting the memory overflow vulnerability may lead to unintended control flow and Denial of Service. Citrix mentioned in the advisory that they have reports suggesting exploitation of this vulnerability on unmitigated appliances.

Citrix NetScaler ADC is a comprehensive application delivery and load balancing solution. It optimizes application performance, availability, and security by distributing, optimizing, and securing network traffic.

Citrix NetScaler Gateway is a secure remote access solution that provides a single entry point for users to access various applications and resources, both on-premises and in the cloud.

Prerequisites for the exploitation

For the vulnerability to be successfully exploited, NetScaler must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CitrixBleed2

Citrix patched another critical vulnerability last week named CitrixBleed2. Tracked as CVE-2025-5777, the vulnerability may allow an attacker to hijack user sessions by extracting session tokens from a device’s memory.

A similar Citrix flaw named CitrixBleed was previously abused in ransomware gangs and in attacks on governments in 2023 to gain access to NetScaler devices and move laterally across corporate environments.

Affected Versions

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP

Note: The vulnerability does not affect NetScaler ADC 12.1-FIPS.

Mitigation

  • NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP

Please refer to the Citrix Security Bulletin (CTX694788) for more information.

Qualys Detection

Qualys customers can scan their devices with QID 383418 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788

Leave a Reply

Your email address will not be published. Required fields are marked *